🌴 AuraWatch Enterprise Security

By OptiRefine

AuraWatch is a deterministic, high-performance static analysis and auto-remediation engine for VS Code, Cursor, and Windsurf.

Unlike AI coding assistants that guess at vulnerabilities and hallucinate fixes, AuraWatch uses Lossless Semantic Trees (LST) and the Z3 Symbolic Execution Engine to mathematically prove vulnerabilities and surgically rewrite your AST with zero syntax errors — and when a vulnerability is too structurally complex for deterministic patching, a locally-embedded AI steps in, validated by the same scanner that found the issue.

✨ Key Features

🛡️ Deterministic Auto-Remediation (No Hallucinations)

AuraWatch uses AST transformation — LibCST for Python, ts-morph for JS/TS — to structurally patch your code. Vulnerable nodes are surgically replaced in the tree and rendered back to text. No guessing, no syntax errors, no dropped comments. Every generated patch opens in a native Diff Viewer before anything touches your file.

🤖 Hybrid AI Auto-Fix — Local, Private, Verified

Some vulnerabilities require structural rewrites that no deterministic rule can safely generate without context. For these, AuraWatch activates an embedded Qwen2.5-Coder 1.5B model that runs entirely on your machine — no API calls, no cloud, no data leaving your environment.

What makes this different from a regular AI fix is the closed verification loop:

1. The local AI generates a patch guided by a precise, CWE-specific remediation pattern.
2. The patch is immediately sent to the deterministic scanner — the same engine that found the original vulnerability.
3. If the scanner rejects it (vulnerability still present, or a new one was introduced), the AI enters a structured reflection turn: it is shown the exact scanner report, the line numbers that failed, and — critically — the remediation pattern for any new vulnerability it accidentally created. It then answers three specific questions about its own code before attempting a fix again.
4. This loop repeats up to 3 times with escalating reasoning temperature, so each attempt genuinely explores a different approach rather than repeating the same tokens.
5. Only a patch that passes a clean scanner run is surfaced to you for review in the Diff Viewer.

The AI never autonomously applies changes. You always see the diff and choose to accept or discard it.

Hardware-adaptive performance: AuraWatch automatically detects and uses Metal (Apple Silicon), CUDA (Nvidia), or Vulkan (AMD) if available, falling back to CPU-only mode on machines without a compatible GPU. On an M2 MacBook, fix attempts complete in 3–6 seconds. On a CPU-only laptop, expect 25–60 seconds per attempt.

🧮 Z3 Symbolic Execution

AuraWatch doesn't just read your code — it runs it through a theorem prover. The integrated Z3 SMT solver analyzes execution paths to mathematically prove critical application crashes before they happen:

• Provable Division by Zero (CWE-369)
• Negative Array / Out-of-Bounds Indexing (CWE-125)
• Dead Code & Contradictory Logic Branches (CWE-561)
• Negative Memory Allocations (CWE-789)
• NULL Pointer Dereference (CWE-476)

🕵️‍♂️ Deep AST Vulnerability Detection

Catches complex architectural flaws that regex-based linters miss.

Python: Dynamic OS Command Injection (f-strings/concatenation), hidden shell=True execution, insecure deserialization (Pickle/YAML), assert-based security bypasses, Jinja2 SSTI, unsafe eval/exec usage.

JavaScript / TypeScript: Prototype Pollution, unguarded database connections, unsafe await property chains, XSS via unsanitized dangerouslySetInnerHTML.

📦 Hallucinated Dependency Defense

AuraWatch actively queries the NPM registry during scans to verify that your imports actually exist, protecting you from Dependency Confusion attacks triggered by AI-hallucinated package names.

🌊 Plain-English "Vibe Checks"

Security jargon is exhausting. Type /VibeCheckThis CWE-1321 in the sidebar and AuraWatch translates any vulnerability ID into a plain-English explanation of exactly how a hacker would exploit it in the real world.

🚀 Usage

AuraWatch lives in your IDE sidebar. Open any Python, JavaScript, TypeScript, or React file and use:

• scan — Analyzes the active file using the AST + Z3 engine.
• fix — Generates safe, deterministic AST patches for all supported vulnerabilities. Complex issues that need structural rewrites are handed off to the local Hybrid AI, which retries until the scanner confirms a clean result.
• /VibeCheckThis [ID] — Plain-English explanation of any vulnerability ID.

Tip: Highlight a specific block of code, right-click, and select AuraWatch: Scan Selection to target a single function or component.

🏗️ Architecture: How the Two Layers Work Together

Most security tools make you choose between accuracy (deterministic rules) and coverage (AI that can reason about structure). AuraWatch runs both in sequence.

Your Code
    │
    ▼
┌─────────────────────────────────────┐
│  Layer 1: Deterministic Engine      │
│  AST analysis + Z3 symbolic math    │
│  → Zero false positives             │
│  → Instant, rule-based patches      │
│  → Handles ~80% of vulnerabilities  │
└──────────────┬──────────────────────┘
               │ Complex / structural issues
               ▼
┌─────────────────────────────────────┐
│  Layer 2: Local Hybrid AI           │
│  Qwen2.5-Coder 1.5B (on-device)    │
│  → CWE-specific remediation hints  │
│  → Structured reflection on retry  │
│  → Every patch re-scanned by L1    │
│  → Diff view before any apply      │
└─────────────────────────────────────┘
               │ Verified clean patch
               ▼
        Diff View → You Decide

Why this matters: The AI layer never operates unsupervised. Every patch it produces goes back through the deterministic scanner before it reaches you. If the AI introduces a new vulnerability while fixing the original one — a common failure mode with small models — the scanner catches it, and the AI is shown exactly what it created and why it's dangerous before trying again. The only patches you ever see are ones the mathematical engine has cleared.

⚙️ Installation & Setup

AuraWatch connects to your secure, isolated OptiRefine Cloud Run engines.

1. Install the extension from the Marketplace.
2. Open VS Code Settings (Cmd/Ctrl + ,) and search for AuraWatch.
3. Configure your credentials:
   • aurawatch.tsEngineUrl — URL to your Node.js ts-morph engine.
   • aurawatch.coreEngineUrl — URL to your Python LST + Z3 engine.
4. Open the AuraWatch sidebar, enter your email, and sign in via the magic link.
5. Optionally click Enable Local AI to download the embedded Qwen2.5-Coder model (~1.1 GB, one-time). Required for Hybrid AI fixes on complex vulnerabilities.

(Note: configuration keys use the aurawatch.* namespace.)

Built by OptiRefine.